Cybersecurity researchers have discovered GitHub repositories offering cracked software used to distribute the RisePro information stealer. The repositories, which have since been removed, contained RAR archives with an installer file that unpacks the next-stage payload, injecting RisePro into system processes. RisePro is designed to gather sensitive information and exfiltrate it to Telegram channels. This discovery comes amid a rise in popularity of information-stealing malware, which are increasingly used as the primary vector for ransomware and high-impact data breaches.
A new cross-platform information stealer malware called JaskaGO has been discovered, targeting both Windows and macOS systems. Equipped with an extensive array of commands from its command-and-control server, JaskaGO disguises itself as legitimate software installers and runs checks to avoid detection. It can harvest information, modify the clipboard for cryptocurrency theft, and establish persistence within macOS systems. The distribution method and scale of the campaign are currently unknown. JaskaGO highlights the growing trend of malware development using the Go programming language.
The Rhadamanthys information stealer malware has been evolving with new features and a plugin system that allows for customization, making it a versatile threat. It is distributed through malicious websites and can harvest sensitive information from compromised hosts, including web browsers, crypto wallets, email clients, VPNs, and instant messaging apps. The malware's development shows similarities to the Hidden Bee coin miner, indicating a fast-paced and ongoing evolution. The current version, 0.5.2, includes a new plugin system that enables customers to deploy additional tools tailored to their targets. Additionally, the malware uses a Lua script runner to extract information from various sources and has added clipper functionality to divert cryptocurrency payments. The findings coincide with the discovery of new AsyncRAT infection chains that use a legitimate Microsoft process to deploy a remote access trojan (RAT) via phishing attacks.
BunnyLoader, a new malware-as-a-service (MaaS) threat, has been discovered in the cybercrime underground. It offers various functionalities such as downloading and executing payloads, stealing browser credentials, and running remote commands. BunnyLoader incorporates anti-sandbox and antivirus evasion techniques and has a fileless loading feature. The malware sets up persistence via a Windows Registry change and performs sandbox and virtual machine checks before activating its malicious behavior. It includes tasks for downloading and executing next-stage malware, running keyloggers and stealers, and redirecting cryptocurrency payments. BunnyLoader is continuously evolving and adding new features to carry out successful campaigns. This discovery follows the emergence of other information stealer malware strains, such as Agniane Stealer and The-Murk-Stealer.
Fake Bitwarden websites are distributing installers that contain a new password-stealing malware called ZenRAT. The malware targets Windows users and collects browser data, credentials, and information about the infected host. The fake websites imitate the legitimate Bitwarden site and use typosquatting to deceive victims. Researchers at Proofpoint discovered ZenRAT and found that it is designed to be modular, with the potential for expanded capabilities. The malware is delivered through phishing campaigns and redirects users to a cloned page of an article about Bitwarden if they are not using Windows. The Bitwarden password manager has gained popularity, making it an attractive target for cybercriminals.
A fan-made Super Mario game, Super Mario 3: Mario Forever, has been found to contain malware that can steal users' data and secretly install crypto mining software. The game's installer also installs XMR Miner, which runs a Monero cryptocurrency miner in the background, and Umbral Stealer, which can steal passwords, private information, webcam images, and crypto wallet information. The game has been downloaded nearly 17 million times from the Softendo website alone, and has been the subject of past investigations revealing malware and trojan horses.
A trojanized installer for the popular Super Mario 3: Mario Forever game for Windows is infecting users with multiple malware infections, including an XMR miner and an information stealer called Umbral Stealer. The malware is likely promoted on gaming forums or social media groups and is distributed through unknown channels. Users should scan their computers for malware, reset passwords at sensitive sites, and download software only from official sources.
A new information stealer for macOS called Atomic macOS Stealer (AMOS) is being advertised on Telegram for $1,000 per month. The malware can steal Keychain passwords, system information, files, and even the macOS password. It can also extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. The malware is distributed under the guise of legitimate software and is delivered through phishing websites or by exploiting vulnerabilities. Users are advised to only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via emails or SMS messages.
Cybersecurity vendors have warned of an active supply chain attack that is using digitally signed and rigged installers of the popular voice and video conferencing software, 3CX Desktop App, to target downstream customers. The attack, dubbed SmoothOperator, is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL. The attack may have commenced around March 22, 2023. 3CX is working on a software update for its desktop app and is urging its customers to uninstall the app and install it again or use the PWA client as a workaround. The attack has been attributed with high confidence to a North Korean nation-state actor, Labyrinth Chollima.
